Saturday, January 08, 2011

Unfortunately, 4 million is nowhere close to a record. But this surely make the “top ten most incomprehensible security failures” list...

Mobile security outrage: private details accessible on net

January 8, 2011 by admin

Natalie O’Brien reports:

The personal details of millions of Vodafone customers, including their names, home addresses, driver’s licence numbers and credit card details, have been publicly available on the internet in what is being described as an ”unbelievable” lapse in security by the mobile phone giant.

The Sun-Herald is aware of criminal groups paying for the private information of some Vodafone customers to stand over them.

Other people have apparently obtained logins to check their spouses’ communications.

Personal details, accessible from any computer because they are kept on an internet site rather than on Vodafone’s internal system, include which numbers a person has dialled or texted, plus from where and when.

The full extent of the privacy breach is unknown but The Sun-Herald has learnt that possibly thousands of people have logins that can be passed around and used by anyone to gain full access to the accounts of about 4 million Vodafone customers.

Read more in the Sydney Morning Herald.

[From the article:

Vodafone retailers have said each store has a user name and password for the system. That access is shared by staff and every three months it is changed. Other mobile dealers who sell Vodafone products also get full access to the database.

Anyone with full access can look up a customer's bills and make changes to accounts.

(Related) What good is all that information without a simple exploit? For my Ethical Hackers

'SMS of Death' Could Crash Many Mobile Phones

"Research presented at a conference in Germany last week shows that phones don't even have to be smart to be vulnerable to hackers. Using only Short Message Service (SMS) communications, a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. The trick works for handsets made by Nokia, LG, Samsung, Motorola, Sony Ericsson, and Micromax, a popular Indian cell-phone manufacturer."

Interesting that they ask for some data by Username (assuming that it is an individual of interest?) and some by name (assuming they have Twitter accounts?) Which is more likely to result in an unrelated individual's information being hoovered up with the “persons of interest?” What is the impact of asking for the records of a member of Iceland's parliament? (Is there Diplomatic Immunity on the Internet?)

WikiLeaks Supporters' Twitter Accounts Subpoenaed

"The US Justice Department has served Twitter with a subpoena for the personal information and private messages of WikiLeaks supporters. There's a copy of the subpoena here (PDF); boing boing has a detailed article. Twitter has 3 days to turn over the information."

Imagine every Internet service demanding “ePapers, Citizen!”

Internet Freedom Alert: Obama Admin Pushing Ahead Today with Dangerous “Internet Trusted Identity” Scheme

January 7, 2011 by Dissent

Lauren Weinstein sounds the alert:

Greetings. At this moment — as I type this — the Obama administration is pushing forward with its horrendous DHS-linked “Trusted Internet Identity” scheme (formally – “NSTIC”: “National Strategy for Trusted Identities in Cyberspace”) via a meeting and announcements today at the Stanford Institute for Economic Policy Research.

As I’ve discussed in Why the New Federal “Trusted Internet Identity” Proposal is Such a Very Bad Idea and postings linked within that article, NSTIC is an incredibly dangerous concept fraught with all manner of major direct and collateral risks to individuals, organizations, freedom of speech, and civil rights in general.

In contrast to the benign concepts of Net Neutrality — which despite right-wing claims to the contrary will not result in a government “takeover” of the Internet or the muzzling of free speech — NSTIC in fact carries very much those actual risks.

Read more on Lauren Weinstein’s Blog.

[From the blog:

NSTIC will never remain "voluntary" as its proponents claim. It will ultimately put the government firmly into every networked computing device that we use, and become the key mechanism to track users, control access to information, eliminate legitimate anonymity, and otherwise convert the Internet into a tool more suited for future oppression than open communication.

For my Data Mining and Analysis students Note the application to measuring the rise (and fall) of specific memes and technologies

January 06, 2011

Quantitative Analysis of Culture Using Millions of Digitized Books

Quantitative Analysis of Culture Using Millions of Digitized Books, Published Online 16 December 2010, Jean-Baptiste Michel et al. Science DOI: 10.1126/science.1199644.

  • "We constructed a corpus of digitized texts containing about 4% of all books ever printed. Analysis of this corpus enables us to investigate cultural trends quantitatively. We survey the vast terrain of “culturomics”, focusing on linguistic and cultural phenomena that were reflected in the English language between 1800 and 2000. We show how this approach can provide insights about fields as diverse as lexicography, the evolution of grammar, collective memory, the adoption of technology, the pursuit of fame, censorship, and historical epidemiology. “Culturomics” extends the boundaries of rigorous quantitative inquiry to a wide array of new phenomena spanning the social sciences and the humanities...We report the creation of a corpus of 5,195,769 digitized books containing ~4% of all books ever published. The corpus has emerged from Google’s effort to digitize books."

See also Geoffrey Nunberg, Chronicle of Higher Education - Counting on Google Books

For my Small Business Management students.

LotR Online's Free-To-Play Switch Tripled Revenue

Last June, Turbine made the decision to switch Lord of the Rings Online from a subscription-based business model to a free-to-play model supported by microtransactions. In a podcast interview with Ten Ton Hammer, Turbine executives revealed that the switch has gone well for the company, with game revenues roughly tripling. The active player base has also grown significantly in that time. Executive Producer Kate Paiz said, "This really echoes a lot of what we've seen throughout the entertainment industry in general. It's really about letting players make their choices about how they play."

Interesting – like an interactive PowerPoint...

Friday, January 7, 2011

Interactive Guides to Global Issues

The Council on Foreign Relations has a nice collection of interactive guides to contemporary global political and economic issues. In all there are twenty-three guides in the collection. Some of the topics the guides cover are nuclear energy, the Iraq War, tensions in the Korean Peninsula, the global economy, and climate change. Each guide is divided into chapters. Each chapter contains videos, graphics, text, and timelines to help viewers understand the many layers of each issue.

Quelle surprise

College Students Lack Scientific Literacy

An anonymous reader writes with news of research into the scientific literacy of college biology students. Earlier studies found that students tended to "rely on mainly informal reasoning derived from their personal experiences," so the researchers derived a new instructional framework that explicitly taught principle-based reasoning. While the number of students who used this method did increase, more than half continued to use informal reasoning, which the researchers say points to a flaw in the way biology is taught (PDF). "Most college-level instruction presents students with complicated narratives about the details of key processes (e.g., cellular respiration), but does not explicitly reinforce the use of key principles to connect those processes. Therefore, students are understandably occupied with memorizing details of processes without focusing on the principles that govern and connect the processes. ... As a result, students may leave an introductory biology course with the ability to recite the reactions in the Calvin cycle but still believing that plants obtain most of their mass from the soil rather than from the atmosphere, that plants photosynthesize but do not respire, or that the mass of a decomposing organism will primarily return to the soil."

Friday, January 07, 2011

Once upon a time, it was common for crooks to steal pantyhose to use as a mask. Now it appears worthwhile to purchase a retail business if it gives you access to lots of credit cards... I can only assume the economics still make sense.

(update) EVG Quality Gas breach, Sierra Madre

January 6, 2011 by admin

A small update to the story by Adolfo Flores of the Pasadena Star News:

The Secret Service has been called in. As significantly, the police are still looking for the owner of the gas station who closed the business and left town during Christmas week – right before all of the fraud reports starting coming in.

“In this case we are looking for three individuals, one of them is the former owner (Evgeny) Yakimenko,” Police Chief Marilyn Diaz

At a 7 a.m. press conference authorities provided a photograph of a man withdrawing funds from a victim’s account in Montebello. They are also investigating a Valero gas station up the street from EVG for fraudulent transactions.

Diaz confirmed that a skimming device was used to gather victims’ information when they used their cards in an ATM or in-store transaction.

Another “bargain” that's too good to be true.

Thousands of stolen iTunes accounts for sale in China

January 6, 2011 by admin

Tens of thousands of fraudulent iTunes accounts are for sale on a major Chinese website, it has been revealed.

Around 50,000 accounts linked to stolen credit cards are listed on auction site TaoBao, the country’s equivalent of eBay.

Buyers are promised temporary access to unlimited downloads from the service for as little as 1 yuan (10p) a time.

Apple, which recently stepped up iTunes’ security after a series of break-ins, declined to comment.

Read more on BBC.

Zou Le, of Global Times, who broke the story, reports, in part:

For merely 200 yuan ($30) a pop, an Internet user in China can purchase up to $200 worth of digital products at Apple Inc’s vast music, movie and applications vault.

Far from being a benevolent offer by the fruit-favoring giant, this offer is the result of the theft of iTunes user account details stollen by hackers who then auctioned them online.

The Global Times discovered Wednesday that about 50,000 illegal accounts are being sold at, China’s largest online store, at prices ranging from 1 yuan to 200 yuan.

Potential buyers are promised access to music and movies through iTunes amounting to seven times more than the amount paid.

The only restriction is that all downloads should be made within 24 hours of the transaction being completed at Taobao.

The websites show that thousands of such accounts have been sold over the past several months.

Another swing of the pendulum?

EPIC Files Brief in Airport Body Scanner Case

January 6, 2011 by Dissent


EPIC has filed its reply brief in the suit to suspend the Department of Homeland Security’s controversial airport body scanner program. The brief argues that “the TSA has acted outside of its regulatory authority and with profound disregard for the statutory and constitutional rights of air travelers, the agency’s rule should be set aside and further deployment of the body scanners should be suspended.” EPIC filed its opening brief on November 1, 2010, arguing that the body scanners are “unlawful, invasive, and ineffective.” On January 6, EPIC held a one-day public conference “The Stripping of Freedom: A Careful Scan of TSA Security Procedures” in Washington, DC. Oral argument will be heard in the case on March 10.

Privacy risks: What records would you need to disprove these allegations?

Nurse claims she was fired for complaining about HIPAA violations

By Dissent, January 6, 2011

Michelle Massey reports:

A former nurse is seeking more than $15 million from a Tyler hospital alleging she was fired after complaining about employees taking pictures of sedated patients and posting the pictures on Facebook.

Debbie Blevins filed suit against Tyler Cardiovascular Consultants on Dec. 22 in the Eastern District of Texas, Tyler Division.

She accuses the defendant of allowing staff, including doctors, to post pictures of sedated patients on social networking websites, such as Facebook, in violation of Health Insurance Portability and Accountability Act privacy laws, ethical standards and basic morals.

Read more in the Southeast Texas Record.


Nursing student wins Facebook placenta photo case against JCCC

By Dissent, January 7, 2011

Matt Campbell reports:

Doyle Byrnes has every intention of resuming her nursing studies after a federal judge overturned her dismissal from the program for posting a photo of a human placenta on Facebook.

The judge on Thursday shot down every argument, legal and otherwise, that Johnson County Community College had used to justify its ousting of Byrnes last fall, preventing her from graduating on schedule in May.

Read more in the Kansas City Star

While I think I actually appreciate the school’s concern about image or how the public might be fearful of how privacy is treated, I think this is a good decision. It was – and should have remained – a teachable moment. How many lives would have been forever altered if one student had not had the determination and resources to actually take the college to court?

[From the article:

Clifford Cohen, Byrnes’ attorney, argued his client was deprived of due process and a disciplinary hearing.

In Melgren’s ruling, he found:

•Photos are taken to be viewed, and if the students were given permission to photograph the placenta, it became irrelevant what they did with the pictures.

•There was no violation of any patient’s privacy because there was nothing in the photos to identify whose placenta it was.

•Byrnes was not allowed a fair hearing on her dismissal.

Melgren acknowledged that the Facebook element of the case mystified him, but he said: “Today’s generation of students is today’s generation of students and I don’t know that what they did was disruptive. I think the college’s reaction was disruptive.”

Would the casinos be required to show their software in court and explain how it was “hacked? ”

Man Arrested For Exploiting Error In Slot Machines

"A man awaiting trial in Pennsylvania was arrested by Federal agents on Jan. 4, and accused of exploiting a software 'glitch' within slot machines in order to win payouts. The exploit may have allowed the man to obtain more than a million dollars from casinos in Pennsylvania and Nevada, and officials say they are investigating to see if he used the method elsewhere. The accused stated that 'I'm being arrested federally for winning on a slot machine. Let everybody see the surveillance tapes. I pressed buttons on the machine on the casino. That's all I did.' Apparently, slot machine software errors are fairly common. The lesson here seems to be that casinos can deny you a slot machine win any time they wish by claiming software errors, and if you find an error that you can exploit, you may find yourself facing Federal charges for doing so."

[From the article:

When the correct sequence of buttons was pushed, the machine displayed false double jackpots. No casino officials noticed because the bogus jackpots weren't being recorded in the machine's internal system. [The casinos didn't have records to support cash payouts? I doubt that! Bob]

When I read this I thought they were asking for a tax on their sales. In fact, they apparently can't figure out how to sell anything online, so they are competing with tax-free internet stores. Still can't figure why they want taxes added to their competitors' sales rather than dropping the taxes on their sales...

Aussie Retailers Lobby For Tax On Online Purchases

"Major Australian retailers are running a print advertising campaign to get the government to decrease the amount where the Goods and Services tax (Australian sales tax) comes into effect for all online purchases. Currently, the tax free amount is at $1000 AUD for online purchases. The retailers, such as Target, Harvey Norman, David Jones, Myer and others, are lobbying through newspapers and are considering launching a television commercial. The print adverts are claiming that if the amount remains the same, Australian jobs will be lost and the economy will be harmed. This is facing a massive backlash from consumers, and the government's assistant treasurer said it was an action by stores to fix the issues affecting them."

[From the ABC article:

"If you've got a challenge which has been a long time in the making - which is the rise of the internet - then just thinking that you can slap a tax and solve all your problems and make the problems go away isn't right," he said.

Is this why my Ethical Hackers drive a different car every day?

New Cars Vulnerable To Wireless Theft

"In a story published by Technology Review, researchers have demonstrated multiple times that they can bypass the security of wireless entry and ignition systems to take a car without the owner's permission. As researchers in the article point out, car security systems will begin have a real impact to every day use if a thief can simply walk up to your car and drive it away. Although this article is light on technical details, a companion article shows how the researchers accomplished the security bypass. An interesting read, and certainly something that will no doubt be the subject of a new movie any day now."

Interesting. Will it inspire my Small Business Management students?

10 Business Models That Rocked 2010

Amazing how Dilbert can summarize everything we know about Cloud Computing!

Thursday, January 06, 2011

Looking to 2011 – not a pretty picture.

Experts Forecast Top Seven Trends in Healthcare Information Privacy for 2011

By Dissent, January 5, 2011

In today’s installment, we gaze into the crystal ball to see what 2011 might have in store for us:

What are the top security and privacy issues facing the healthcare industry in 2011? A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach, and governance were asked to weigh in with their forecasts for 2011. These experts suggest that as health information exchanges take form, millions of patient records—soon to be available as digital files—will lead to potential unauthorized access, violation of new data breach laws and, more importantly, exposure to the threat of medical and financial identity theft.

These predictions are supported by the recent Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security, published November 2010, which found that data breaches of patient information cost the healthcare industry $6 billion annually; protecting patient data is a low priority for hospitals; and the healthcare industry lags behind the recently enacted HITECH laws.

The top predictions for 2011 include:

  1. Health information exchanges, many of which will be launched by inexperienced and understaffed organizations, will force more attention on security and privacy;

  2. Increased fines and regulatory action by State Attorneys General and regulatory agencies;

  3. Data breaches and associated costs will increase, as penalties for information security negligence are acted on;

  4. Hospital governing-boards will exert their power to manage data breach risks in order to increase accountability and fiduciary responsibility;

  5. A significant “data spill” is inevitable and will bring national attention to the issue;

  6. Heightened patient awareness and concern over the security of their private medical data;

  7. The finalization of data breach notification rules by the Department of Health and Human Services could remove the controversial “harm threshold” provision that determines whether notification is required when an incident occurs. If removed, this will create a risk of over notification and desensitization of patients. [Note from Dissent: it will create a risk of entities being embarrassed and patients leaving. I doubt if any patient would truly ignore a letter that provides sufficient details for them to determine whether they need to take action to protect their medical privacy.]

Industry-Wide Experts Share Their Opinions and Insight

Dr. Larry Ponemon, chairman and founder, Ponemon Institute; research experts in privacy, information security policy and information management

“Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance, policy plaguing in the healthcare industry. Millions of patients are at risk for medical and financial identity fraud due to inadequate information security. Information security in the healthcare industry is at the fulcrum of economic, technological, and regulatory influence and, to date, it has not demonstrated an ability to adapt to meet the resulting challenges—but it must. The reputation and well-being of those organizations upon which we rely to practice the healing arts depends on it.”

Dr. Deborah Peel, M.D., practicing physician and founder of Patient Privacy Rights; the nation’s health privacy watchdog

“2011 will be the year that Americans recognize they can’t control personal health information in health IT systems and data exchanges. Will 2011 be the year that data security and privacy are the top of the nation’s agenda? I hope so. The right to privacy is the essential right of individuals in vibrant Democracies. If we don’t do it right in healthcare, we won’t have any privacy in the Digital Age.”

Cliff Baker, managing partner for Meditology, a healthcare IT risk management and deployment services firm

“In 2011, we can expect that the Department of Health and Human Services Office for Civil Rights will be gearing up its proactive audits. Where does this leave OCR audits in 2011? They’re probably directed at those organizations that have breaches attributable to known and published high-risk areas. Look for those organizations to be dealing with OCR auditors camped out at their facilities in 2011.”

Ernie Hood, vice president and CIO, Group Health Cooperative; one of the nation’s largest consumer-governed health care systems

“The healthcare industry is on the verge of a major shift. Organizations are venturing into the electronic world for the first time as practices implementing electronic health records and states are launching health information exchanges. A surge of new data will be brought online by a lot of inexperienced organizations fueled by monetary government incentives. Mistakes are a certainty. Combine this with sophisticated approaches to identity theft by organized crime, and breaches will happen. When a breach occurs, the way the organization handles it publicly will be critical.”

Rick Kam, president and co-founder, ID Experts; comprehensive data breach solutions

“Health information exchanges will raise the awareness of security and privacy. I am seeing organizations shift their focus from implementation of electronic health records to a focus on the next phase of “meaningful use,” specifically how they are going to share patient records though health information exchanges. There will also be more concern over accountability if PHI is breached. How will a patient know who is responsible when a health information exchange has a data breach? Who will they hold accountable to fix the problem and for the financial, reputational, and other damage they experience? I think a lot of work needs to be done in this area and it will come into focus as a ‘must do’ initiative in 2011.”

Sandeep Tiwari, CEO, Zafesoft, Inc.; provider of information security and control software

“As healthcare information becomes more mobile, issues with security will only become increasingly complex. Healthcare is a mammoth space that changes and moves slowly, but when it does, it moves en masse. In the case of PHI/PII the laws were ahead of the technology. To date, there have been no secure audit trails, which impacts the effectiveness of the laws. If we can’t track how and when private and personal information is accessed, we will never secure it.”

Larry Walker, president of The Walker Company; governance consultant to health care organizations

“Patient health information data breaches are one of the most significant legal and public trust risks facing hospital governing boards, which are legally and ethically accountable for the results of a breach. The board of trustees has a fundamental fiduciary responsibility to ensure that patients’ health information is safe and secure at all times. To do this, boards must establish the prevention of data breaches as a critical organizational priority, ensure that financial resources sufficient to achieve the objective are made available, and require periodic updates from senior management on data breach risks and methods being utilized to close potential breach gaps. This should be one of the critical agenda items for hospital and health system boards in 2011.”

For more information, visit

Looking back at 2010, hard to see what happened...

Massachusetts Attorney General Reviews 2010 Data Breach and Data Security Regulations Compliance

January 5, 2011 by admin

Ellen M. Giblin writes:

With the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf)(“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General’s Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement.


Scott Shafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Shafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed.

Read more on Workplace Privacy Counsel.

I wonder who the 3% are who aren't required to secure their data?

January 05, 2011

Majority of Federal Employees Go Beyond Mandatory IT Security Requirements

News release: "Most Federal employees go beyond baseline IT security requirements, according to a new survey by the Government Business Council, the research division of Government Executive Media Group, and CDW Government LLC (CDW-G), a leading provider of technology solutions to government, education and healthcare customers. While 97 percent of Federal employees are required by their agencies to use authentication measures such as passwords, security tokens and biometric identifiers, most take still more security precautions to protect agency data. Respondents noted that they proactively lock their screens when they are away from their computers and only use secure network connections and agency-issued machines to further secure information... The survey, underwritten by CDW-G in partnership with HP, conducted in September 2010, captured the views of 230 randomly selected Federal defense and civilian decision makers."


Wikileaks As Security Breach

January 5, 2011 by Dissent

Ryan Calo writes, in part:

The leak represents an appalling security breach—one that makes TJX look like a misplaced diary. As I argue in a previous post, the leak threatens a set of classic privacy harms. One of the central roles of privacy is to help preserve the conditions for intimacy. The leak means that leaders will be less candid with U.S. diplomats going forward, who in turn will report back insights only with great caution. No one will take U.S. promises of confidentiality seriously. At the margins, this shattering of intimacy may take certain diplomatic options off the table. All because the government failed to take minimal steps to keep information within its proper context.

The government can—and in my opinion, should—prosecute Manning. Still, the responsibility for this breach lies squarely with the state. The U.S. hired, trained, and supervised Manning, and it built the system that permitted this young adult to undermine global diplomacy with a Lady Gaga CD.

Read his entire commentary on The Center for Internet and Society

The Cloud Computing wars begin!

January 05, 2011

Google Wins Injunction in Cloud Computing Bid Protest Against Interior

Follow up to Google Files Bid Protest Against Dept. of Interior Over Hosted Email and Collaboration Services, news that Google wins: Interior forbidden to award noncompetitive contract to Microsoft - "U.S. Federal Claims Court Judge Susan Braden ruled on Jan. 3 that negotiations for a sole source contract with Microsoft “commenced many months prior to July 15, 2010,” when department officials decided Microsoft's software was their standard for e-mail and computer operating systems. Meanwhile, Google had been trying to get considered for the work as well."

Supply & Demand: Maybe they didn't pay enough?

Goldman Closes Facebook Fund After Billions in Orders Pour In

Just days after announcing a private investment placement that values Facebook at $50 billion, Goldman Sachs’ controversial fund is already oversubscribed, The Wall Street Journal reported late Wednesday. The platinum-plated Wall Street titan will not seek any further investments after receiving orders worth several billion dollars, the paper said.

That strong response from Goldman’s wealthy clients appears to have far exceeded the $1.5 billion the bank had planned to raise, and leaves absolutely no doubt that the appetite for a piece of the world’s largest social network — still a private company that outsiders can only speculate brings in a reported $2 billion a year — is voracious.

… An offering document for the fund said Facebook made a profit of $200 million in 2009 on revenue of $777 million, but did not list disclose 2010 revenue, though industry experts have pegged it at $2 billion, the paper said.

For my ethics class...

January 05, 2011

2010 Law School Survey of Student Engagement

2010 Law School Survey of Student Engagement: "Findings reveal that students who interacted with faculty more often were significantly more likely to report substantial gains in key areas related to professionalism and ethics compared to students with less faculty contact. Despite the benefit to students, opportunities for student-faculty interaction often are missed. Results also indicate that only half of students (53%) felt prepared to deal with ethical dilemmas that arise in practice."

For my Computer Security students.

The 9 Types of Computer Viruses To Watch Out For & What They Do


Securing the Smart Grid

"Securing the Smart Grid: Next Generation Power Grid Security, authors Tony Flick and Justin Morehouse provide a comprehensive and first-rate overview of smart grid technology and what is needed to ensure that it is developed and deployed in a secure and safe manner. An issue is that smart grid has significant amount of hype around it, including the promise that it will make energy more affordable, effective and green. With that, promises around security and privacy are often hard to obtain."

For my Data Mining and Analysis students

January 05, 2011

Google Refine, a power tool for working with messy data

"Google Refine is a power tool for working with messy data, cleaning it up, transforming it from one format into another, extending it with web services, and linking it to databases like Freebase."

Wednesday, January 05, 2011

Worth looking at their “guide”

DuckDuckGo Challenges Google On Privacy With

January 4, 2011 by Dissent

Matt McGee writes:

DuckDuckGo, a small search engine that’s largely flown under the public radar, has started the new year by taking a public shot at Google on the issue of search privacy. The company has launched, an illustrated guide showing how Google tracks its users … and how DuckDuckGo doesn’t.

The site:

  • shows how a search for “herpes” shows up in Google Analytics as a search referral with information about the user’s location, browser, and other data

  • shows how the “herpes” search can lead to targeted ads being associated with a user profile and how that profile can “potentially show up in unwanted places like insurance, credit & background checks”

Read more on Search Engine Land.

Some interesting and conflicting statements. This should be fun to watch...

DHS Files Brief in EPIC Airport Body Scanner Case

January 4, 2011 by Dissent


The Department of Homeland Security has filed its answer brief in EPIC’s suit to suspend the agency’s controversial airport body scanner program. EPIC filed its opening brief on November 1, 2010, arguing that the body scanners are “unlawful, invasive, and ineffective.” Since then, a national grassroots movement of citizens, advocates, and lawmakers staged protests, sent letters, held hearings (2), and introduced legislation (2, 3) to stop the program. DHS has repeatedly attempted to delay resolution of EPIC’s lawsuit, but the Court has scheduled oral argument for March 10, 2011.

Interesting, but not well defined concept. How would you hold organizations that discriminate based on Facebook (or Behavioral Advertising) accountable?

Article: Accountability as a Driver of Innovative Privacy Solutions

January 4, 2011 by Dissent

Joan Feigenbaum of the Yale Computer Science Department has an article, “Accountability as a Driver of Innovative Privacy Solutions,” available online.

The abstract:

The standard technical approach to privacy in particular and computer security in general is preventive: Before someone can access confidential data or take any other action that implicates privacy or security, he should be required to prove that he is authorized to do so. As the scale and complexity of online activity has grown, it has become increasingly apparent that the preventive approach is inadequate. It is our thesis that a paradigm shift to accountability, rather than prevention, as an organizing principle for privacy in online interaction could spark much needed innovation.

Interesting thought exercise!

Privacy vs. Security vs. Anonymity

January 4, 2011 by Dissent

Sasha Romanosky writes:

When I first began my PhD at Carnegie Mellon, I was keen to properly sort and define any new terms and reconcile them with my own education and experience. Three terms that always seemed to be intermingled were: Privacy, Security and Anonymity. Certainly they are related, but I wanted to be a little more specific and understand exactly when and how they overlapped.

First, let’s establish some basic definitions. For the purpose of this blog post, the following definitions will suffice (I’ll address alternative definitions later):

• Privacy: having control over one’s personal information or actions
• Security: freedom from risk or danger
• Anonymous: being unidentifiable in one’s actions

Next, create a Venn diagram with three overlapping circles (each circle representing one term). Then, within each area, try to provide examples that reflecte those properties. That is, imagine some situation where you would have security without privacy, or security without anonymity. When can you have all three? When can you be anonymous but lack privacy?

Read more on Concurring Opinions.

[A sample Venn Diagram (humor?):

Not sure I find much logic here. How important is it to interpret fact based on the sender's bias? If someone pounds on my hotel door and screams “Fire!” should I ask his political affiliation before I take action?

Anonymity and the Dark Side of the Internet

January 4, 2011 by Dissent

Stanley Fish opines:

In McIntyre v. Ohio Elections Commission (1995) the Supreme Court overturned a statute requiring any person who prints a notice or flyer promoting a candidate or an issue to identify the communication’s author by name. Justice John Paul Stevens, writing for the majority, grounded his opinion in an account of meaning he takes from an earlier case (First National Bank of Boston v. Bellotti): “The inherent worth of . . . speech in terms of its capacity for informing the public does not depend upon the identity of its source, whether corporation, association, union, or individual.” Or, in other words, a writing or utterance says what it says independently of who happens to say it; the information conveyed does not vary with the identification of the speaker.

There are at least two problems with this reasoning.

Read more in the New York Times.

Monopoly is as a monopoly does... (“Looming” might be a bit too generous.)

January 04, 2011

The Looming Cable Monopoly

The Looming Cable Monopoly, by Susan P. Crawford, 12/16/2010, vo. 29 Yale Law & Policy Review

  • "On March 9, 2010, the city of Alexandria, Virginia received a letter from Verizon. The letter, signed by Verizon’s Virginia president, Robert Woltz, said that Verizon would not be installing FiOS services in Alexandria. The mayor of Alexandria, William Euille, was disheartened: The city council had already awarded Verizon a contract to install fiber service and had spent hundreds of thousands of dollars negotiating a cable franchise agreement with the company. Verizon, for its part, declared that it was suspending FiOS franchise expansion around the country. Just one week later, the Federal Communications Commission (FCC) rolled out its National Broadband Plan. The Plan, which was based on the assumption that “broadband is a foundation for economic growth, job creation, global competitiveness and a better way of life,” and was said by the FCC to be “lay[ing] out a bold roadmap to America’s future,” made a host of detailed recommendations. These recommendations focused largely on making more spectrum available for wireless broadband use, and reforming the nation’s Universal Service Fund. The Plan did not discuss net neutrality or competition policy. There were likely good reasons for these omissions. The Commission wanted to be seen as setting forth a vision for the country’s broadband future and was trying to keep any discussion of the newly-contentious subject of net neutrality on a separate, dedicated track. Also, the Commission was not, as of March 2010, eager to address the market structure of high-speed Internet access services."

[From the article:

Here is a translation of this section: Where Verizon FiOS service exists, there will be competition with cable Internet access service providers for high-speed Internet access at speeds that are necessary to carry out real-time video conferencing or watch high-definition video. Where FiOS is not installed, there will not be any competition, and consumers will have just one provider to choose from: their local cable monopoly. Most Americans—perhaps as many as 85% of us—will fall into this latter category. As of March 2010, with Verizon’s announcement that it would not be expanding service to their town, the citizens of the City of Alexandria had just joined this group.[10]

It might be interesting to see who has a “get out of jail free”: card.

Florida Newspaper Demands Private-Public Records

January 4, 2011 by Dissent

If a city uses a private company to issue traffic tickets to red light violators, are the ticket records of the ticket-issuing contractor public records by extension or are they the private records of the private entity? And if they are public records, can they be disclosed without violating the federal Drivers Privacy Protection Act? Courthouse News reports on an in interesting case in Florida:

The St. Petersburg Times sued Kenneth City and American Traffic Solutions, which won a city contract to issue traffic citations to red-light violators. The city and the private company both blew off the newspaper’s FOIA requests; ATS said it “does not consider records it creates and maintains to be ‘public records.’” The newspaper disagrees.


An ATS attorney wrote to Lindberg that “ATS does not consider records it creates and maintains to be ‘public records.’” ATS offered to tell Lindberg “the number of violations that have been received, but not the names of the drivers.”

In a subsequent interview with the police chief, the chief told Lindberg “that the city does receive a report from ATS containing the names of the alleged red light violators,” according to the complaint. But the city refused to release the records, claiming disclosure would “violate the Drivers Privacy Protection Act.”

The Times says it “has a clear legal and constitutional right to inspect all public records to which no statutory exemption applies,” and adds that “the city has a mandatory and nondiscretionary duty to permit the inspection of all nonexempt public records.”

Read more on Courthouse News.

Related: Complaint in Times Publishing v. City of Kenneth City.

Refining the definition of the Cloud.

January 04, 2011

Economist - Computing services are both bigger and smaller than assumed

Tanks in the cloud - Computing services are both bigger and smaller than assumed: "Clouds bear little resemblance to tanks, particularly when the clouds are of the digital kind. But statistical methods used to count tanks in the second world war may help to answer a question that is on the mind of many technology watchers: How big is the computing cloud? This is not just a question for geeks. Computing clouds—essentially digital-service factories—are the first truly global utility, accessible from all corners of the planet. They are among the world’s biggest energy hogs and thus account for a lot of carbon dioxide emissions. More happily, they allow firms in developing countries to leapfrog traditional information technology (IT) and benefit from advanced computing services without having to build expensive infrastructure... The “cloud of clouds” has three distinct layers. The outer one, called “software as a service” (SaaS, pronounced sarse), includes web-based applications such as Gmail, Google’s e-mail service, and, which helps firms keep track of their customers. This layer is by far the easiest to gauge. Many SaaS firms have been around for some time and only offer such services. In a new study Forrester Research, a consultancy, estimates that these services generated sales of $11.7 billion in 2010."

Egotistical or essential? One way to use the Cloud...

Easy Lifecaching: How To Back Up Your Online Life

For everyone with a BlackBerry...

Tuesday, January 04, 2011

Towards mandatory breach reporting?

ITRC 2010 Breach Report

January 3, 2011 by admin

The Identity Theft Resource Center has issued its end of year press release. It includes some of the organization’s key findings and stresses the need for more information and mandated disclosures. Breach reports by sector can be found on their site as well as their chronology of the breaches they recorded for 2010:

The Identity Theft Resource Center recorded 662 breaches on its 2010 ITRC Breach List. It is apparent, with few exceptions, that there is no transparency when it comes to reporting breaches. Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events. It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported.

Mandatory reporting has had a positive impact on the reported number of medical data breaches. First published this year, the Department of Health and Human Services (HHS) Breach List has identified 214 breaches to-date. Unfortunately, the HHS database provides insufficient information for the public to know what types of records were placed at risk. The HHS breach report does not detail whether names, x-rays or Social Security Numbers (SSN) were included in the exposed data. The public has no way of knowing just how minor or serious the data exposure was for any given incident. Media has helped by reporting more details for some breach events.

In addition, state mandated reporting of all breaches – by several state Attorneys Generals – increased public reporting, but only applies if an individual in that state might be affected. In 2010, New Hampshire listed 96 breaches and Maryland reported 160. Wisconsin and Vermont have small lists of reported breach events.

Approximately 200 breaches, 29% of the 662 total reported by the ITRC, were credited to information provided by these “mandatory reporting” states. This is a clear argument for mandatory reporting to achieve transparency for the public.

Highlights of the ITRC Breach List analysis include:

  • Paper breaches account for nearly 20% (1/5th) of known breaches and typically go unnoticed until a consumer reports the problem to local media. There is generally no mandatory reporting requirement for paper breaches.

  • Malicious attacks still account for more breaches than human error, with hacking at 17.1% and insider theft at 15.4%.

  • 38.5% (255) of listed breaches did not identify the manner in which the information was exposed. This indicates a clear lack of transparency and full reporting to the public.

  • 51% of publicly reported breaches indicated the number of records exposed, totaling 16.1 million records. Note: records can mean credit cards, bank accounts or other information. It is not representative of the number of people involved.

  • However, nearly half of all breaches (49%) did not list number of potentially exposed records. This ingrained inaccuracy in reporting is another argument for mandatory reporting.

  • 412 breaches (62%) reported exposure of Social Security Numbers, representing 76% of known records.

  • 170 breaches (26%) involved credit or debit cards, representing about 29% of known records.

The nation needs a centralized, publicly available, data breach reporting site. It should be comprehensive enough to allow readers to find out what happened, what information was compromised, and why the breach happened. This would also allow law enforcement to better address this type of crime.

Breaches happen. Consumers, government and the business community need to stop acting like ostriches with their heads in the sand. Second, the concept of “risk of harm” is not acceptable for determining notification. This is true especially if the company involved is allowed to define “risk of harm.” Only a federal IT forensic specialist should have that authority. Breached information has been used months after the original exposure.

Are breached entities going to like the future? ITRC hopes they will embrace the change as productive and valuable. Mandatory reporting is on the horizon. It will be demanded either by consumer lobbying or legislation.

For the reports and statistics used for this release, go to

About the ITRC

The Identity Theft Resource Center(r) (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. Visit

Victims may contact the ITRC at 888-400-5530.

“You can fool all of the people some of the time...”

Espionage Via Spoofed White House eCard

When many people were caught up in the warm fuzzy feeling of peace on earth and goodwill toward man, it may have felt rewarding to receive a Christmas eCard from The White House. The bad news is that the spoofed seasons greetings contained malware aimed at espionage and sucked up several gigabytes of sensitive government documents. Some of the victims worked on cybersecurity as government employees and contractors.

… Regarding this Zeus banking Trojan variant, security blogger Mila Parkour wrote, it "appears to be designed for stealing documents as opposed to stealing passwords and banking information. This places this particular trojan in the category of malware designed for data theft and political/corporate espionage."

Any recipient who clicked on the links and opened the file were then infected with a Zeus Trojan variant that snatched documents and passwords and then uploaded the stolen data to a server in Belarus.

No need for concern. Everything is under control. These are not the droids you are looking for... I would imagine there are some Hotmail users who actually depend on this service. Perhaps now they will consider 'e-mail redundancy.'

Microsoft 'sorry' as Hotmail bug hits 17,000

Microsoft has apologized, but not explained why nearly 20,000 Hotmail accounts were mysteriously emptied of their contents during the Christmas holiday.

Corporate vice president for Windows Live Chris Jones blogged on Monday that 17,355 Windows Live Hotmail accounts had lost all their email messages during the course of what he called "mailbox load balancing between servers."

Inboxes and folders starting emptying on December 30, with accounts appearing to be new and people receiving a "Welcome to Hotmail" email from Microsoft. Some affected accounts went back 10 years.

Users took to Hotmail forums pleading for Microsoft to restore their cherished accounts while other took to Facebook, launching a group to share their anguish and frustration with world+dog.

Jones responded on Monday to say that Microsoft had identified the problem by the evening of January 2 and that it had restored accounts – two days after messages went AWOL. He continued that Microsoft was sorry for the inconvenience to customers and partners.

… Further, Microsoft has been PR-ing people hard, trying to convince us that Hotmail is just one of a suite of services that the company can competently and reliably deliver in – where else? – the cloud.

In California you can probably be arrested for “failure to appreciate Avocados”

California Supreme Court: Court: No right to data privacy if you’re arrested

January 3, 2011 by Dissent

A significant ruling by the California Supreme Court is reported in the Central Valley Business Times today. The news story begins:

If you’re arrested in California, even for a traffic stop, police can rifle through the old text messages, photos, video and voice mail on your cell phone without a warrant, the state Supreme Court says.

It contends that a U.S. Supreme Court decision can be interpreted that there’s no violation of the Fourth Amendment if police comb through text messages without a warrant, if they’ve lawfully arrested you.

Read more on CVBT.

Related: Opinion in The People v. Gregory Diaz.

Green as in 'not ripe' or green as in 'moldy?'

January 03, 2011

Green Paper: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework

The commercial data privacy issues discussed in the Department’s green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, provide a clear lens through which to assess current policy. Throughout the history of the Internet as a commercial medium, the Department of Commerce has been a key avenue of government engagement. Today, the Department continues this role, primarily through the Internet Policy Task Force, established by Secretary Locke. This Task Force is examining policy approaches that reduce barriers to digital commerce while strengthening protections for commercial data privacy, cybersecurity, intellectual property, and the global free flow of information."

Something for my Ethical Hackers – the ethics of Computer Security...

MS Asks Google To Delay Fuzzer Tool

"Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."

One of those “Heroes” who need a new strategy when the battle is won. What should we recommend?

Groklaw — Don't Go Home, Go Big

"You may have caught PJ's Christmas Day post on Groklaw, expressing her anger and frustration that, after she helped save Novell's Unix patents from SCO's clutches, Novell turned around and sold many of those patents to an open source-unfriendly coalition. She's feeling at a crossroads and wondering what Groklaw should become. Brian Proffitt has a suggestion: a bigger, more community-oriented site."

Another Ethical Quandary. Beware the “We can, therefore we must” arguments...

Using Technology To Enforce Good Behavior

"With the new year upon us and resolutions being made to change unwanted behavior, many tools are now available to help people stay in line, such as a GPS-enabled app that locks down texting once a car gets rolling and a program that cuts off credit-card spending. Another device monitors your workout and offers real-time voice feedback. Have we entered an era in which electronics serve as mother, cop and coach because we can't manage our own desires?" [What role should governments play? Bob]

(Related) Sounds like a useful tool, but does it also report/record where you parked and for how long?

French Use Space Tech To Find Parking Spots

"Using technology developed by French space agency CNES (Centre Nationale d'Etudes Spatiales) to explore the planet Venus, drivers in the city of Toulouse are discovering something much more down-to-earth: vacant parking spots. The system is based on 3,000 sensors buried just under the pavement that detect changes in the electromagnetic environment around them and communicate the results via coaxial cable to a server, which makes the information available in real time to drivers' smartphones."

Democracy, what a concept!

January 03, 2011

Justice Scalia's Comments on equal protection clause of the 14th Amendment to the U.S. Constitution

California Lawyer, January 2011 - Legally Speaking, The Originalist - Question: 'In 1868, when the 39th Congress was debating and ultimately proposing the 14th Amendment, I don't think anybody would have thought that equal protection applied to sex discrimination, or certainly not to sexual orientation. So does that mean that we've gone off in error by applying the 14th Amendment to both?

  • Answer: "Yes, yes. Sorry, to tell you that. ... But, you know, if indeed the current society has come to different views, that's fine. You do not need the Constitution to reflect the wishes of the current society. Certainly the Constitution does not require discrimination on the basis of sex. The only issue is whether it prohibits it. It doesn't. Nobody ever thought that that's what it meant. Nobody ever voted for that. If the current society wants to outlaw discrimination by sex, hey we have things called legislatures, and they enact things called laws. You don't need a constitution to keep things up-to-date. All you need is a legislature and a ballot box. You don't like the death penalty anymore, that's fine. You want a right to abortion? There's nothing in the Constitution about that. But that doesn't mean you cannot prohibit it. Persuade your fellow citizens it's a good idea and pass a law. That's what democracy is all about. It's not about nine superannuated judges who have been there too long, imposing these demands on society."

Clever idea for big (over $10 million) investors...

A "Private IPO" for Facebook?

Some have suggested that the deal could increase the pressure for Facebook to take the company public. The New York Times's Dealbook writes:

The new investment comes as the Securities and Exchange Commission has begun an inquiry into the increasingly hot private market for shares in Internet companies, including Facebook, Twitter, the gaming site Zynga and LinkedIn, an online professional networking site. Some experts suggest the inquiry is focused on whether certain companies are improperly using the private market to get around public disclosure requirements.

The deal could add pressure on Facebook to go public even as its executives have resisted. The popularity of shares of Microsoft and Google in the private market ultimately pressured them to pursue initial public offerings.

Indeed, there's already been some criticism of the way Goldman Sachs' investment is reportedly set up. According to Henry Blodget at Silicon Alley Insider:

One of the reasons Goldman just invested in Facebook was to create the ability for its clients to invest in Facebook--through a "special purpose vehicle". Specifically, Goldman has bought the right to buy $1.5 billion of Facebook stock for its clients via a single private investment entity. Goldman's clients who want to invest in Facebook will be given shares in the investment entity. And if the value of those shares rises, they'll cash in.

Voila! The private Facebook IPO. Just for Goldman clients.

For the Swiss Army folder...

7 Totally Awesome Tools For Cd/Dvds Tasks On Windows